Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.” While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule.

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.

Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.

The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.

The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).

DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”

With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.

Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

“Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.

“Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).